DRAFT

These documents are starter templates pending review by legal counsel and are NOT yet in force. Last updated 2026-05-30.

LEGAL

Data Processing Addendum

KairosAI Technologies Private Limited · Last updated 2026-05-30 · Effective date: [______]

This Data Processing Addendum (“DPA”) forms part of the agreement between KairosAI Technologies Private Limited (“KairosAI”, “we”, “us”) and the Customer (“you”) for use of the KairosAI customer-service agent platform (the “Service”). It governs KairosAI’s processing of personal data on your behalf and is aligned with India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”). In the event of conflict on data-protection matters, this DPA prevails over the Terms of Service.

1. Definitions

Terms below take the meaning given in the DPDP Act:

  • Data Fiduciary — the person who, alone or with others, determines the purpose and means of processing personal data. You are the Data Fiduciary.
  • Data Processor — a person who processes personal data on behalf of a Data Fiduciary. KairosAI is the Data Processor.
  • Data Principal — the individual to whom the personal data relates (for example, your end-users).
  • Personal Data — any data about an individual who is identifiable by or in relation to such data.
  • Sub-processor — a third party engaged by KairosAI to process personal data in connection with the Service.

2. Scope & roles

This DPA applies to the processing of personal data contained in the conversation content and related data handled through the Service (such as voice recordings, transcripts, chat and email contents, and contact identifiers). You determine the purposes and means; KairosAI processes such personal data solely to provide the Service. You are responsible for the lawfulness of the data and for obtaining all required notices and consents from Data Principals.

3. Processing on documented instructions

KairosAI will process personal data only on your documented instructions, including as set out in the Terms, this DPA, and your configuration of the Service, except where otherwise required by applicable law (in which case we will inform you unless legally prohibited). We will not process the personal data for our own independent purposes.

4. Confidentiality

KairosAI will ensure that personnel authorised to process the personal data are bound by appropriate confidentiality obligations and access the data only on a need-to-know basis.

5. Security measures

KairosAI will implement and maintain reasonable technical and organisational security safeguards appropriate to the risk, including encryption in transit and at rest, role-based access controls, network and application security, logging and monitoring, and regular review of controls, consistent with the DPDP Act’s requirement to protect personal data in its possession or under its control.

6. Sub-processing

You authorise KairosAI to engage sub-processors to provide the Service. KairosAI will impose data-protection and confidentiality obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. We will maintain the list below and give you a reasonable opportunity to object to material changes to sub-processors.

Sub-processors (placeholder — to be completed)
CategorySub-processorPurposeLocation
Telephony / PSTN[Provider name]Voice call origination & termination[______]
LLM provider[Provider name]Response generation & transcription[______]
Cloud / hosting[Provider name]Application hosting & storage[______]
Messaging / WhatsApp BSP[Provider name]WhatsApp & messaging delivery[______]

7. Assistance with Data Principal requests

Taking into account the nature of the processing, KairosAI will provide reasonable assistance through appropriate technical and organisational measures to help you respond to requests by Data Principals to exercise their rights under the DPDP Act (access, correction, erasure, grievance redressal, and nomination). Where a Data Principal contacts KairosAI directly, we will refer the request to you.

8. Personal data breach notification

KairosAI will notify you without undue delay, and in any case within [seventy-two (72) hours] of becoming aware of a personal data breach affecting personal data processed under this DPA, and will provide information reasonably available to help you meet your obligations to Data Principals and the Data Protection Board of India under the DPDP Act.

9. Deletion or return on termination

On termination or expiry of the Service, or on your written request, KairosAI will delete or return the personal data processed under this DPA, and delete existing copies, except to the extent retention is required by law. We will confirm deletion on request. Default retention windows and your configurable retention settings are described in the Service.

10. Audit

On reasonable prior written notice and no more than [once per year] (or following a confirmed breach), KairosAI will make available information reasonably necessary to demonstrate compliance with this DPA, which may take the form of third-party audit reports, certifications, or a questionnaire, subject to confidentiality.

11. Cross-border transfer

Where KairosAI transfers personal data outside India through a sub-processor, it will do so in accordance with the DPDP Act and any applicable restrictions, under appropriate contractual safeguards with the recipient.

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, to the maximum extent permitted by law.

13. Governing law

This DPA is governed by the laws of India and is subject to the governing-law and dispute-resolution provisions of the Terms of Service.

14. Contact

Data-protection questions under this DPA can be sent to [privacy@__________] or to our Grievance Officer at [grievance@__________], KairosAI Technologies Private Limited, [Registered office: __________, India].